From aa7831afa16dc4559ff32c0d2b005f8f14e0de6b Mon Sep 17 00:00:00 2001 From: jkoberg Date: Thu, 1 Jun 2023 13:58:33 +0200 Subject: [PATCH] bump reva Signed-off-by: jkoberg --- go.mod | 2 + go.sum | 4 +- ocis/pkg/command/auth-service.go | 30 +++++++ .../reva/v2/pkg/auth/manager/loader/loader.go | 1 + .../v2/pkg/auth/manager/registry/registry.go | 4 +- .../serviceaccounts/serviceaccounts.go | 88 +++++++++++++++++++ .../v2/pkg/storage/registry/spaces/spaces.go | 2 +- .../utils/decomposedfs/node/permissions.go | 16 ++++ .../cs3org/reva/v2/pkg/utils/grpc.go | 25 ++---- vendor/modules.txt | 4 +- 10 files changed, 153 insertions(+), 23 deletions(-) create mode 100644 ocis/pkg/command/auth-service.go create mode 100644 vendor/github.com/cs3org/reva/v2/pkg/auth/manager/serviceaccounts/serviceaccounts.go diff --git a/go.mod b/go.mod index b98252aafe4..e358986bcc6 100644 --- a/go.mod +++ b/go.mod @@ -337,3 +337,5 @@ require ( ) replace github.com/cs3org/go-cs3apis => github.com/2403905/go-cs3apis v0.0.0-20230517122726-727045414fd1 + +replace github.com/cs3org/reva/v2 => github.com/kobergj/reva/v2 v2.0.0-20230817115237-b53cb6989688 diff --git a/go.sum b/go.sum index 0417709d0c7..56da12c451e 100644 --- a/go.sum +++ b/go.sum @@ -864,8 +864,6 @@ github.com/crewjam/httperr v0.2.0 h1:b2BfXR8U3AlIHwNeFFvZ+BV1LFvKLlzMjzaTnZMybNo github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4= github.com/crewjam/saml v0.4.13 h1:TYHggH/hwP7eArqiXSJUvtOPNzQDyQ7vwmwEqlFWhMc= github.com/crewjam/saml v0.4.13/go.mod h1:igEejV+fihTIlHXYP8zOec3V5A8y3lws5bQBFsTm4gA= -github.com/cs3org/reva/v2 v2.15.1-0.20230816081257-e3a2be91bc4f h1:s0sBJbIB8atyhujVx/OaadujuRHer8ODPpWxyGWfw/s= -github.com/cs3org/reva/v2 v2.15.1-0.20230816081257-e3a2be91bc4f/go.mod h1:6GyXffmxluCqQxXaYuVC2Dg10gj0QW199iVlxV0EAJg= github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= @@ -1468,6 +1466,8 @@ github.com/klauspost/cpuid/v2 v2.0.4/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa02 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= github.com/klauspost/cpuid/v2 v2.1.0 h1:eyi1Ad2aNJMW95zcSbmGg7Cg6cq3ADwLpMAP96d8rF0= github.com/klauspost/cpuid/v2 v2.1.0/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY= +github.com/kobergj/reva/v2 v2.0.0-20230817115237-b53cb6989688 h1:bzvifQjL49XpnCnA8dChK1B1SyjftBFRYa1fwWnOJ9g= +github.com/kobergj/reva/v2 v2.0.0-20230817115237-b53cb6989688/go.mod h1:6GyXffmxluCqQxXaYuVC2Dg10gj0QW199iVlxV0EAJg= github.com/kolo/xmlrpc v0.0.0-20200310150728-e0350524596b/go.mod h1:o03bZfuBwAXHetKXuInt4S7omeXUu62/A845kiycsSQ= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= diff --git a/ocis/pkg/command/auth-service.go b/ocis/pkg/command/auth-service.go new file mode 100644 index 00000000000..e0796e9b61a --- /dev/null +++ b/ocis/pkg/command/auth-service.go @@ -0,0 +1,30 @@ +package command + +import ( + "github.com/owncloud/ocis/v2/ocis-pkg/config" + "github.com/owncloud/ocis/v2/ocis-pkg/config/configlog" + "github.com/owncloud/ocis/v2/ocis-pkg/config/parser" + "github.com/owncloud/ocis/v2/ocis/pkg/command/helper" + "github.com/owncloud/ocis/v2/ocis/pkg/register" + "github.com/owncloud/ocis/v2/services/auth-service/pkg/command" + "github.com/urfave/cli/v2" +) + +// AuthServiceCommand is the entrypoint for the AuthService command. +func AuthServiceCommand(cfg *config.Config) *cli.Command { + return &cli.Command{ + Name: cfg.AuthService.Service.Name, + Usage: helper.SubcommandDescription(cfg.AuthService.Service.Name), + Category: "services", + Before: func(c *cli.Context) error { + configlog.Error(parser.ParseConfig(cfg, true)) + cfg.AuthService.Commons = cfg.Commons + return nil + }, + Subcommands: command.GetCommands(cfg.AuthService), + } +} + +func init() { + register.AddCommand(AuthServiceCommand) +} diff --git a/vendor/github.com/cs3org/reva/v2/pkg/auth/manager/loader/loader.go b/vendor/github.com/cs3org/reva/v2/pkg/auth/manager/loader/loader.go index 694cd98c29f..9fcba055412 100644 --- a/vendor/github.com/cs3org/reva/v2/pkg/auth/manager/loader/loader.go +++ b/vendor/github.com/cs3org/reva/v2/pkg/auth/manager/loader/loader.go @@ -30,5 +30,6 @@ import ( _ "github.com/cs3org/reva/v2/pkg/auth/manager/oidc" _ "github.com/cs3org/reva/v2/pkg/auth/manager/owncloudsql" _ "github.com/cs3org/reva/v2/pkg/auth/manager/publicshares" + _ "github.com/cs3org/reva/v2/pkg/auth/manager/serviceaccounts" // Add your own here ) diff --git a/vendor/github.com/cs3org/reva/v2/pkg/auth/manager/registry/registry.go b/vendor/github.com/cs3org/reva/v2/pkg/auth/manager/registry/registry.go index aea682f79d4..8d92a13e193 100644 --- a/vendor/github.com/cs3org/reva/v2/pkg/auth/manager/registry/registry.go +++ b/vendor/github.com/cs3org/reva/v2/pkg/auth/manager/registry/registry.go @@ -18,7 +18,9 @@ package registry -import "github.com/cs3org/reva/v2/pkg/auth" +import ( + "github.com/cs3org/reva/v2/pkg/auth" +) // NewFunc is the function that auth implementations // should register to at init time. diff --git a/vendor/github.com/cs3org/reva/v2/pkg/auth/manager/serviceaccounts/serviceaccounts.go b/vendor/github.com/cs3org/reva/v2/pkg/auth/manager/serviceaccounts/serviceaccounts.go new file mode 100644 index 00000000000..48e16cf09db --- /dev/null +++ b/vendor/github.com/cs3org/reva/v2/pkg/auth/manager/serviceaccounts/serviceaccounts.go @@ -0,0 +1,88 @@ +package serviceaccounts + +import ( + "context" + + authpb "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1" + userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1" + + "github.com/cs3org/reva/v2/pkg/auth" + "github.com/cs3org/reva/v2/pkg/auth/manager/registry" + "github.com/cs3org/reva/v2/pkg/auth/scope" + "github.com/mitchellh/mapstructure" + "github.com/pkg/errors" +) + +type conf struct { + ServiceUsers []serviceuser `mapstructure:"service_accounts"` +} + +type serviceuser struct { + ID string `mapstructure:"id"` + Secret string `mapstructure:"secret"` +} + +type manager struct { + authenticate func(userID, secret string) error +} + +func init() { + registry.Register("serviceaccounts", New) +} + +// Configure parses the map conf +func (m *manager) Configure(config map[string]interface{}) error { + c := &conf{} + if err := mapstructure.Decode(config, c); err != nil { + return errors.Wrap(err, "error decoding conf") + } + // only inmem authenticator for now + a := &inmemAuthenticator{make(map[string]string)} + for _, s := range c.ServiceUsers { + // TODO: hash secrets + a.m[s.ID] = s.Secret + } + m.authenticate = a.Authenticate + return nil +} + +// New creates a new manager for the 'service' authentication +func New(conf map[string]interface{}) (auth.Manager, error) { + m := &manager{} + err := m.Configure(conf) + if err != nil { + return nil, err + } + + return m, nil +} + +// Authenticate authenticates the service account +func (m *manager) Authenticate(ctx context.Context, userID string, secret string) (*userpb.User, map[string]*authpb.Scope, error) { + if err := m.authenticate(userID, secret); err != nil { + return nil, nil, err + } + scope, err := scope.AddOwnerScope(nil) + if err != nil { + return nil, nil, err + } + return &userpb.User{ + // TODO: more details for service users? + Id: &userpb.UserId{ + OpaqueId: userID, + Type: userpb.UserType_USER_TYPE_SERVICE, + }, + }, scope, nil +} + +type inmemAuthenticator struct { + m map[string]string +} + +func (a *inmemAuthenticator) Authenticate(userID string, secret string) error { + // TODO: hash secrets + if a.m[userID] == secret { + return nil + } + return errors.New("secrets do not match") +} diff --git a/vendor/github.com/cs3org/reva/v2/pkg/storage/registry/spaces/spaces.go b/vendor/github.com/cs3org/reva/v2/pkg/storage/registry/spaces/spaces.go index 17f3cea740e..aa8385f6626 100644 --- a/vendor/github.com/cs3org/reva/v2/pkg/storage/registry/spaces/spaces.go +++ b/vendor/github.com/cs3org/reva/v2/pkg/storage/registry/spaces/spaces.go @@ -481,7 +481,7 @@ func (r *registry) findProvidersForResource(ctx context.Context, id string, find }, }) } - spaces, err := r.findStorageSpaceOnProvider(ctx, address, filters, false) + spaces, err := r.findStorageSpaceOnProvider(ctx, address, filters, unrestricted) if err != nil { appctx.GetLogger(ctx).Debug().Err(err).Interface("provider", provider).Msg("findStorageSpaceOnProvider by id failed, continuing") continue diff --git a/vendor/github.com/cs3org/reva/v2/pkg/storage/utils/decomposedfs/node/permissions.go b/vendor/github.com/cs3org/reva/v2/pkg/storage/utils/decomposedfs/node/permissions.go index 1e5017241b5..604fae68e59 100644 --- a/vendor/github.com/cs3org/reva/v2/pkg/storage/utils/decomposedfs/node/permissions.go +++ b/vendor/github.com/cs3org/reva/v2/pkg/storage/utils/decomposedfs/node/permissions.go @@ -22,6 +22,7 @@ import ( "context" "strings" + userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1" provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" "github.com/cs3org/reva/v2/pkg/appctx" ctxpkg "github.com/cs3org/reva/v2/pkg/ctx" @@ -84,6 +85,17 @@ func OwnerPermissions() provider.ResourcePermissions { } } +// ServiceAccountPermissions defines the permissions for nodes when requested by a service account +func ServiceAccountPermissions() provider.ResourcePermissions { + return provider.ResourcePermissions{ + Stat: true, + ListContainer: true, + GetPath: true, + InitiateFileUpload: true, + InitiateFileDownload: true, + } +} + // Permissions implements permission checks type Permissions struct { lu PathLookup @@ -113,6 +125,10 @@ func (p *Permissions) assemblePermissions(ctx context.Context, n *Node, failOnTr return NoPermissions(), nil } + if u.GetId().GetType() == userpb.UserType_USER_TYPE_SERVICE { + return ServiceAccountPermissions(), nil + } + // are we reading a revision? if strings.Contains(n.ID, RevisionIDDelimiter) { // verify revision key format diff --git a/vendor/github.com/cs3org/reva/v2/pkg/utils/grpc.go b/vendor/github.com/cs3org/reva/v2/pkg/utils/grpc.go index 3945d32e8cb..06ce9753f8f 100644 --- a/vendor/github.com/cs3org/reva/v2/pkg/utils/grpc.go +++ b/vendor/github.com/cs3org/reva/v2/pkg/utils/grpc.go @@ -11,19 +11,8 @@ import ( "google.golang.org/grpc/metadata" ) -// Impersonate returns an authenticated reva context and the user it represents -func Impersonate(userID *user.UserId, gwc gateway.GatewayAPIClient, machineAuthAPIKey string) (context.Context, *user.User, error) { - usr, err := GetUser(userID, gwc, machineAuthAPIKey) - if err != nil { - return nil, nil, err - } - - ctx, err := ImpersonateUser(usr, gwc, machineAuthAPIKey) - return ctx, usr, err -} - // GetUser gets the specified user -func GetUser(userID *user.UserId, gwc gateway.GatewayAPIClient, machineAuthAPIKey string) (*user.User, error) { +func GetUser(userID *user.UserId, gwc gateway.GatewayAPIClient) (*user.User, error) { getUserResponse, err := gwc.GetUser(context.Background(), &user.GetUserRequest{UserId: userID}) if err != nil { return nil, err @@ -35,13 +24,13 @@ func GetUser(userID *user.UserId, gwc gateway.GatewayAPIClient, machineAuthAPIKe return getUserResponse.GetUser(), nil } -// ImpersonateUser impersonates the given user -func ImpersonateUser(usr *user.User, gwc gateway.GatewayAPIClient, machineAuthAPIKey string) (context.Context, error) { - ctx := revactx.ContextSetUser(context.Background(), usr) +// ImpersonateServiceUser impersonates the given user +func ImpersonateServiceUser(serviceUserID string, gwc gateway.GatewayAPIClient, serviceUserSecret string) (context.Context, error) { + ctx := context.Background() authRes, err := gwc.Authenticate(ctx, &gateway.AuthenticateRequest{ - Type: "machine", - ClientId: "userid:" + usr.GetId().GetOpaqueId(), - ClientSecret: machineAuthAPIKey, + Type: "serviceaccounts", + ClientId: serviceUserID, + ClientSecret: serviceUserSecret, }) if err != nil { return nil, err diff --git a/vendor/modules.txt b/vendor/modules.txt index 03f1ad59bf7..d9ca4cabb14 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -352,7 +352,7 @@ github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1 github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1 github.com/cs3org/go-cs3apis/cs3/tx/v1beta1 github.com/cs3org/go-cs3apis/cs3/types/v1beta1 -# github.com/cs3org/reva/v2 v2.15.1-0.20230816081257-e3a2be91bc4f +# github.com/cs3org/reva/v2 v2.15.1-0.20230816081257-e3a2be91bc4f => github.com/kobergj/reva/v2 v2.0.0-20230817115237-b53cb6989688 ## explicit; go 1.20 github.com/cs3org/reva/v2/cmd/revad/internal/grace github.com/cs3org/reva/v2/cmd/revad/runtime @@ -471,6 +471,7 @@ github.com/cs3org/reva/v2/pkg/auth/manager/owncloudsql github.com/cs3org/reva/v2/pkg/auth/manager/owncloudsql/accounts github.com/cs3org/reva/v2/pkg/auth/manager/publicshares github.com/cs3org/reva/v2/pkg/auth/manager/registry +github.com/cs3org/reva/v2/pkg/auth/manager/serviceaccounts github.com/cs3org/reva/v2/pkg/auth/registry/loader github.com/cs3org/reva/v2/pkg/auth/registry/registry github.com/cs3org/reva/v2/pkg/auth/registry/static @@ -2206,3 +2207,4 @@ stash.kopano.io/kgol/oidc-go ## explicit; go 1.13 stash.kopano.io/kgol/rndm # github.com/cs3org/go-cs3apis => github.com/2403905/go-cs3apis v0.0.0-20230517122726-727045414fd1 +# github.com/cs3org/reva/v2 => github.com/kobergj/reva/v2 v2.0.0-20230817115237-b53cb6989688